Powershell Invoke-WebRequest broken, even though TLS1.2 is explicitly enabled
Summary
A known issue with Powershell is that by default, TLS is limited to version 1.0. This prevents HTTPS downloads using Invoke-WebRequest from most website. TLS 1.2 and 1.1 can be enabled with the following command:
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
This does not work inside Gitlab Runner.
Steps to reproduce
- Attempt to download any zip using Powershell in a
.gitlab-ci.ymlscript
.gitlab-ci.yml
build-win:
tags:
- windows
image:
name: python:3.7.6-windowsservercore-1809
entrypoint:
- powershell
before_script:
- '[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"'
- Invoke-WebRequest -UseBasicParsing -Uri "https://github.com/upx/upx/releases/download/v3.96/upx-3.96-win64.zip" -Outfile .\upx-3.96-win64.zip
- Expand-Archive -Path upx-3.96-win64.zip -DestinationPath .
- $env:Path += ";$pwd\upx-3.96-win64"Actual behavior
- Runner errors out with a message
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
Expected behavior
- Runner will download file (in this case upx-3.96-win64.zip)
Relevant logs and/or screenshots
job log
Running with gitlab-runner 12.7.1 (003fe500)
on [HOST] [TOKEN]
Using Docker executor with image python:3.7.6-windowsservercore-1809 ...
Pulling docker image python:3.7.6-windowsservercore-1809 ...
Using docker image sha256:c0bef391afa747308f757be6873b651fae9ab4afa78961110e7125499bd376ca for python:3.7.6-windowsservercore-1809 ...
Running on [RUNNER] via
[HOST]...
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in c:/builds/u/p/.git/
From https://gitlab.example.com/u/p
* [new ref] refs/pipelines/24 -> refs/pipelines/24
70da3e2..7c19669 master -> origin/master
Checking out 7c196699 as master...
Removing [APP].zip
Removing build/
Removing dist/
Removing upx-3.96-win64.zip
Removing upx-3.96-win64/
Removing vc_redist.x64.exe
git-lfs/2.7.1 (GitHub; windows amd64; go 1.11.5; git 6b7fb6e3)
Skipping Git submodules setup
$ [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
$ Invoke-WebRequest -UseBasicParsing -Uri "https://github.com/upx/upx/releases/download/v3.96/upx-3.96-win64.zip" -Outfile .\upx-3.96-win64.zip
Invoke-WebRequest : The underlying connection was closed: An unexpected error
occurred on a send.
At line:1 char:1
+ Invoke-WebRequest -UseBasicParsing -Uri "https://github.com/upx/upx/r ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:Htt
pWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
ll.Commands.InvokeWebRequestCommand
ERROR: Job failed: exit code 1Environment description
- Shared runner on Windows Server 2019, build 1809
config.toml contents
concurrent = 1
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "HOST"
url = "https://HOST.example.com/"
token = "TOKEN"
tls-ca-file = "C:\\Gitlab-Runner\\certs\\HOST.example.com.crt"
executor = "docker-windows"
environment = ["GIT_SSL_NO_VERIFY=true"]
[runners.custom_build_dir]
[runners.docker]
tls_verify = false
image = "mcr.microsoft.com/windows/servercore:ltsc2019"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["c:\\cache"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
Used GitLab Runner version
PS C:\Gitlab-Runner> .\gitlab-runner.exe --version
Version: 12.7.1
Git revision: 003fe500
Git branch: 12-7-stable
GO version: go1.13.5
Built: 2020-01-23T09:17:10+0000
OS/Arch: windows/amd64
PS C:\Gitlab-Runner>Possible fixes
- Unknown